So, how can you pass the vulnerability test?

Mary Ursula HerrmannMary Ursula Herrmann is a Network Security Analyst living in Yorktown, Va. She has worked in Information Security for over 15 years, and obtained her CISSP in 2005.

Last time I talked about how vulnerability scanning has evolved from something that was viewed as an attack to something that most people agree you should be doing on a pretty constant basis. As a matter of fact, in the past couple of years, application penetration testing, where an attempt is made to actually attack application servers to (hopefully) prove that the underlying code is secure, has taken on a greater role in security strategy. In general, when you're doing this type of penetration testing, the results are immediately interpretable, as they were in the earliest days of vulnerability scanning. But vulnerability management itself has evolved to the point where there is simply too much data to process it all at once. Hence a way of collecting and presenting data is necessary.Over the last decade, the concept of Security Information and Event Management has been defined, argued about, and redefined by infosec professionals and vendors searching for the Holy Grail of information display. There are several companies whose products have been around for most of that time and are almost synonymous with SIEM, but despite that fact, SIEM hasn't been “commoditized” or “checkboxed” the way that vulnerability scanners and firewalls have been in the same amount of time. There are two very good reasons for this.The first reason is that the types of data that SIEMs are expected to deal with change over time, as both security software products and the needs of the market change. For example, a typical SIEM of 2003 might have presented data from system logs and several of the more popular vulnerability scanners. What happens when the list of the popular scanners change? Or if there's a type of data that doesn't get logged into system logs, but that enough of the users of a SIEM want to see represented (such as sniffed data)? Sometimes the vendors for software that produces certain types of data will write their own SIEM, but it doesn't incorporate the data from other vendors' products. Some vendors use MSSQL databases to store data. Some use Oracle or a proprietary flat file. Some vendors will provide an API for sharing data, some won't. In the meantime, the volume of threat is increasing, while you're not sure you're seeing the full picture of what's happening on your network.One thing you can do to make it a little easier is to deploy a log management solution that will take all your different types of system logs and consolidate the data in one place. This is probably where most of your SIEM data is coming from, so you need to think about it first. Decide what logs are necessary for you to look at, how long you're going to keep them, and what it is you need to know, and then research what vendors have the best solution for your needs. One important thing to discuss will be what SIEMs their data will feed into. You may be in luck if your vendor markets both log management software and a SIEM, and even better if they also either market a vulnerability manager or work closely with a vendor that does.At that point, you can decide on a SIEM, using the same type of criteria: what kind of data you need to look at and what you need to get from that data. Be prepared, at first, to have an overwhelming amount of data to deal with, until you've managed to categorize it and automate reporting functions. Be prepared, too, for the fact that no one product is going to show you all the data you need to see, so you're going to possibly have two or more different sets of dashboards and reports to deal with. The important thing, though, is to make sure that the data is getting to the people who need to see it in a form that they can easily understand and act on. Without being able to interpret results, there's no way to remediate threat.

Morning Roundup

Business headlines from Crain's Cleveland Business and other Ohio newspapers — delivered FREE to your inbox every morning. Sign up for the Morning Newsletter.